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ICO consultation on the draft right of access 
guidance 


The right of access (known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
Capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 
consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Q1 Does the draft guidance cover the relevant issues about the right 
of access? 


Yes 
No 


Unsure/don’t know 


If no or unsure/don’t know, what other issues would you like to be 
covered in it? 


The Archives and Records Association of the UK and Ireland (ARA) considers that in general the 
draft guidance is clear and comprehensive. However, there is at least one significant gap in the 
chapter on exemptions, which starts on page 46. This chapter explains what are considered the 
main exemptions but completely omits any reference to certain exemptions permitted under GDPR 
Article 89 and specified in Schedule 2 part 6 to the UK Data Protection Act 2018. The exemptions 
for processing for the purposes of research and for archiving in the public interest are extremely 
important to members of ARA. All parties - data controllers, data processors, individuals employed 
by them, and data subjects - should be made aware of the limitations on rights of subject access 
under these provisions and have access to guidance on how and in what circumstances they may 
apply. ARA’s preference would be for some guidance to be included in this chapter, but at the very 
least the exemptions which are not described in detail should be listed so that their existence is 
clear. 


The other significant gap relates to the approach needed in some cases. There are times when the 
context and purpose of the request are relevant to how it should be handled, including what 
information is provided and how it is provided. An impersonal approach will work for most requests 
but for the few involving vulnerable requesters something more empathetic may be required that 
takes account of personal circumstances. One example is cared for children, who subsequently 
seek details of their time in care to add to their own memories so as to create their life history. For 
them, excessive redaction with minimal explanation of why it was needed will have an ongoing 
effect. Those handling such requests need to ask themselves whether details really must be 
redacted, given the context of the request and the impact of the response on requesters and, if so, 
explain the reasons. 


Q2 Does the draft guidance contain the right level of detail? 


Yes 
x No 


Unsure/don’t know 


If no or unsure/don't know, in what areas should there be more detail 
within the draft guidance? 


In general yes, but it would be useful to include more internal cross-references. For example, on 
page 23 under ‘Can we clarify the request’ we are told that any delays caused by awaiting the 
clarification does not affect the timescale for response. However, there are slightly different 
provisions for unstructured manual records, on page 59, and a cross-reference to them would be 
helpful. 


On page 37 there is text on exemptions under ‘What are exemptions and how do they work’. 


Cross-references to the separate chapters on exemptions and on special cases are needed here. 


Also, there are several references to retention and deletion policies but we suggest you add 
something about processes to apply them. Having the policies is one thing, applying them 
consistently and documenting their application is also necessary. 


Q3 Does the draft guidance contain enough examples? 


Yes 
X No 


Unsure/don’t know 


If no or unsure/don't know, please provide any examples that you 
think should be included in the draft guidance. 


ARA recommends addition of examples covering the human angle, ie the approach that 
may sometimes be needed, as noted at Q1. 


Q4 We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


ARA has none to add. 


Q5 On a scale of 1-5 how useful is the draft guidance? 


1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 
useful useful useful useful 
O O O O 


Q6 Why have you given this score? 


The draft guidance is admirably clear but please note ARA’s response at Q1 and Q2 in 
particular. 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Disagree Neither agree nor Agree Strongly agree 
disagree disagree 
0O 0O 0O LJ 


Q8 Please provide any further comments or suggestions you may have about the draft 
guidance. 


The guidance is aimed at DPOs and others responsible for data protection and is fit for 
purpose, notwithstanding ARA’s other comments. However, many data subjects will seek 
guidance too and ARA hopes you will provide companion guidance aimed at the general 


public. 


Q9 Are you answering as: 


O An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

O An individual acting in a professional capacity 

X On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


Archives and Records Association of the United Kingdom and Ireland (ARA) 


What sector are you from: 


Archives and records and information management 


Q10 How did you find out about this survey? 


O ICO Twitter account 
ICO Facebook account 
ICO LinkedIn account 
ICO website 

ICO newsletter 

ICO staff member 
Colleague 


0 0O 


x] 


Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 


ia a se 


Thank you for taking the time to complete the survey. 


